The Change Healthcare attack is already giving valuable lessons to the healthcare sector – primarily the critical importance of resilience, especially when it comes the industry’s supply chain and third parties, said Nitin Natarajan, deputy director of the Cybersecurity and Infrastructure Security Agency.
“We’re never going to prevent an incident from happening, and we’re not going to protect every organization until we have a magic bubble,” he said in an interview with Information Security Media Group during the Healthcare Information Management and Systems Society 2024 conference in Orlando.
Change Healthcare, a unit of Optum, which is a subsidiary of UnitedHealth Group, is still recovering key IT systems and services taken offline after a Feb. 21 cyberattack on Change Healthcare. The outage has been disrupting claims processing, revenue cycle management, prescription services and an array of other processes at scores of medical clinics, hospitals and pharmacies across the country since the attack.
“The question is how do we bounce back and build resilience, recover from backups much sooner?” he said, adding that healthcare sector firms must to “understand our supply chain vulnerabilities much better – to know we are dependent upon a product, chip or service from within the U.S. or internationally, and being able to mitigate that particular vulnerability of risk.”
“We don’t spend enough time understanding our supply chains – especially in healthcare when you look at the volumes of products that a healthcare institution is dependent upon – both hardware but also day-to-day medical supplies. You need to understand the vulnerabilities and have the redundancies built in to mitigate the risk if one major entity were to go down.”
In this audio interview with Information Security Media Groups at the HIMSS conference (see audio link below photo), Natarajan also discussed:
- The Biden administration’s strategy for bolstering cybersecurity of the healthcare sector and resources from CISA to help;
- Top emerging threats involving AI in the hands of attackers;
- Leading threats and other cyber challenges facing the healthcare sector.
Natarajan was appointed deputy director of CISA in February 2021. Prior to joining CISA, Natarajan served in a variety of public and private-sector positions spanning over 30 years. Most recently he served as a consulting firm executive, providing subject matter expertise on a variety of national security topics. Natarajan also held a number of federal government roles, including deputy assistant administrator at the U.S. Environmental Protection Agency, director of critical infrastructure policy at the White House/National Security Council, and a director at the U.S. Health and Human Services overseeing healthcare and public health programs.